So there are a number of ways to approach this, but they'll all require you to write some code.
I don't know your current system or skillset, but this is how I'd do it:
have someone sign up to create a club in an application in the default tenant.
create the tenant, but no users in the tenant. You could set defaults as needed.
verify they are a real club (in whatever way you desire)
on verification, add an application and a user account based on the account in the default teannt. Notify the user via email that their club account is now available.
users can then sign in to the created application in the new tenant.
If you need the ability to deactivate the tenant, I'd write a script that deactivates all applications within a tenant and possibly deactivates the user in the default tenant. Note that when a user can't log in to an application, you may have to check carefully for an HTTP status, see more here.
Is there a way to customize the login process to check other conditions besides the credentials, in this case the 'verified' attribute?
If you are using the login API, you can check any number of items on the user or other objects, but you have to build your own pages. If you are using the OAuth grants or the provided login pages, there are no customizations like you suggest available. Please feel free to file a github issue with details of how you'd like this feature to work.
Hope this helps.
